It seems the recent breach of Colonial Pipeline and the subsequent shutting down of gas distribution along much of the eastern seaboard of the United States was not an isolated event in the pipeline industry. 70 Gigabytes of LineStar Integrity Services' internal files were compromised by ransomware by the so-called Xing Team and posted onto the Dark Web. LineStar is a Houston-based company that sells auditing, compliance, maintenance and technology services to pipeline customers.
The data, first spotted online by the WikiLeaks-style transparency group Distributed Denial of Secrets, or DDoSecrets, includes 73,500 emails, accounting files, contracts, and other business documents, around 19 GB of software code and data, and 10 GB of human resources files that includes scans of employee driver's licenses and Social Security cards. And while the breach doesn't appear to have caused any disruption to infrastructure like the Colonial Pipeline incident, security researchers warn the spilled data could provide hackers a roadmap to more pipeline targeting.
Joe Slowik, a threat intelligence researcher for security firm Gigamon who has focused on critical infrastructure security for years as the former head of incident response at Los Alamos National Labs, notes that it's still not clear what sensitive information might be included in the leak's 70 GB. Still he worries that it could include information about the software architecture or physical equipment used by LineStar's customers, given that LineStar provides information technology and industrial control system software to pipeline customers.
"You can use that to fill in lots of targeting data, depending on what's in there," says Slowik. "It's very concerning, given the potential that it's not just about people's driver's license information or other HR related items, but potentially data that relates to the operation of these networks and their more critical functionality."
Xing Team is a relatively new entrant to the ransomware ecosystem. But while the group writes its name with a Chinese character on its dark web site—and comes from the Mandarin word for “star”—there's little reason to believe the group is Chinese based on that name alone, says Brett Callow, a ransomware-focused researcher with antivirus firm Emsisoft. Callow says he's seen Xing Team use the rebranded version of Mount Locker malware to encrypt victims' files, as well as threaten to leak the unencrypted data as a way to extort targets into paying. In the case of LineStar, Xing Team appears to have followed through on that threat.